{"id":"PYSEC-2019-113","details":"CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.","aliases":["CVE-2019-6802","GHSA-mh24-7wvg-v88g"],"modified":"2023-11-08T04:01:37.875455Z","published":"2019-01-25T04:29:00Z","references":[{"type":"REPORT","url":"https://github.com/pypiserver/pypiserver/issues/237"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-mh24-7wvg-v88g"}],"affected":[{"package":{"name":"pypiserver","ecosystem":"PyPI","purl":"pkg:pypi/pypiserver"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.6"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.2.0","0.3.0","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7-rc.1","1.1.7","1.1.8b0","1.1.8b1","1.1.8","1.1.9.dev0","1.1.9.dev1","1.1.9.dev2","1.1.9","1.1.10","1.2.0.dev1","1.2.0b1","1.2.0","1.2.1.dev0","1.2.1rc0","1.2.1","1.2.2.dev0","1.2.2","1.2.3","1.2.4","1.2.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pypiserver/PYSEC-2019-113.yaml"}}],"schema_version":"1.7.3"}